SMB version 3 and file share encryption
Hello Experts,
Ok, so this is a question that has not been asked before here and I wonder how many have actually implemented it or even tried it.
In windows 2012 MS introduced SMB V3. It is superior as we know to previous versions of SMB. However, I have a need to encrypt the traffic (in-flight) from a windows 2012R2 server to another 2012R2 server. I do not care about data at rest. SMB3 offers SMB Encryption so that if a client can communicate via SMB3 and so does the server, then all in-flight data will be fully encrypted.
The question is:
Have you done it before or tested it?
Do you have any input on how it will impact performance given CPU support AES encryption?
How hard is it to implement?
Do you have any reasons why or why not to do it?
Keep in mind, we will be pushing a ton of large data between the two servers continuously.
Ok, so this is a question that has not been asked before here and I wonder how many have actually implemented it or even tried it.
In windows 2012 MS introduced SMB V3. It is superior as we know to previous versions of SMB. However, I have a need to encrypt the traffic (in-flight) from a windows 2012R2 server to another 2012R2 server. I do not care about data at rest. SMB3 offers SMB Encryption so that if a client can communicate via SMB3 and so does the server, then all in-flight data will be fully encrypted.
The question is:
Have you done it before or tested it?
Do you have any input on how it will impact performance given CPU support AES encryption?
How hard is it to implement?
Do you have any reasons why or why not to do it?
Keep in mind, we will be pushing a ton of large data between the two servers continuously.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SMB3 *is* software. So asking for a performance comparison to some unspecified software is simply not possible. In a complete vacuum, one could theoretically state the performance difference would not exist. Both are transferring data. Both are encrypting and decrypting. This both are the same.
ASKER
True and good points.
My question was not as clear, but in theory, SMB3 obviously is years worth of research and work by MS and other vendors. I was thinking the throughput of SMB3 coupled with its fileshare encryption capability may be way ahead of using a (replication) software that would establish socket to socket connection to transmit the data.
Remember we are using 10G backbone, are you aware of any software that could top the SMB3 yet provide us the encryption in-flight?
Or what would be your advice given you have been through the SMB3 and tested encryption?
My question was not as clear, but in theory, SMB3 obviously is years worth of research and work by MS and other vendors. I was thinking the throughput of SMB3 coupled with its fileshare encryption capability may be way ahead of using a (replication) software that would establish socket to socket connection to transmit the data.
Remember we are using 10G backbone, are you aware of any software that could top the SMB3 yet provide us the encryption in-flight?
Or what would be your advice given you have been through the SMB3 and tested encryption?
Too many variables and options to list. IPsec has been baked into the TCP/IP stack for years. There is more administrative overhead, but with the proper hardware and tuning with offloading capabilities, you could get more throughput. SMB, like NFS, is meant to make sharing easy. But for large known transfers, FTP is still superior, beating SMB3 and HTTP. But isn't architected for "browsing." So for some use cases, FTP over SSL might be a better option. I could go on, but I think I've demonstrated that the follow up questions are just too broad. There is still planning and design solutions that IT Pros get paid to figure out. Can't really be expected to wing it in a forum like EE.
ASKER
I will give it a shot, in one lab tested showed 1.2TB an hour throughput with SMB. I am thinking this is pretty good results. Agree?
Thank you for your help.
Thank you for your help.
That seems a bit slow to me. Even with the overhead of SMB and encryption, I'd normally want to see >2TB/hr over a 10Gb link.
ASKER
hmmm... Do you have jumbo frames turned on or any additional configs done if I may ask?
Jumbo frames, of course. But RSS. For 10Gb NICs this is very important. Or you'll top out at 3Gb/s and one of your CPU cores will be pegged at 100%.
ASKER
Perfect thank you. I may open up additional questions later as we proceed forward. I did not think of the RSS. I am not sure if it is enabled by default.
About the speed: it is pretty useless to say "1TB/h is slow/not slow" if we don't know what you copy and how. This is no benchmark, right? File copy speed depends on file sizes, because the accumulated latency is higher if there are many small files. Also there might be virus scanning in between and so on.
ASKER
Good point, we are looking at 50 to 60GB files adding up to 10TB.
AV is removed from the testing
Small files are not part of this equation.
AV is removed from the testing
Small files are not part of this equation.
Ok, I have never seen 10 GBit/s in action, I must confess, but using smbv3 on 1 GBit/s, I got nearly 99% of the theoretical maximum. Please use some test like netio or iperf. Using file copy as a speedtest is useless, because it also depends on storage speed. If your storage (source and target) cannot do 10GBit/s, no wonder...
http://www.ars.de/ars/ars.nsf/docs/netio
http://www.ars.de/ars/ars.nsf/docs/netio
ASKER
These are going to be physical servers with 32 dedicated cores (2x node clustered source and 2x node clustered destination).
A lot of data will be pushed via smb3.
Data is sensitive. So we want to encrypt just this file share so during transmission of data we are secure. We have a 10gbps backbone as well.
Our choices are, doing it via SMB3 and copy data that way as I think would be the fastest most secure. Using a software to transfer the data and encrypt it (not using SMB3) will likely not give us the same throughput. What do you think?